Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1nODV2LXdmMjctNjd4Y84ABBec

Harden-Runner has a command injection weaknesses in `setup.ts` and `arc-runner.ts`

Summary

Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under specific conditions. However, due to the current execution order of pre-steps in GitHub Actions and the placement of harden-runner as the first step in a job, the likelihood of exploitation is low as the Harden-Runner action reads the environment variable during the pre-step stage. There are no known exploits at this time.

Details

1. setup.ts:169 1 performs execSync with a command that gets
   invoked after interpretation by the shell. This command includes an
   interpolated process.env.USER variable, which an attacker could
   modify (without actually creating a new user) to inject arbitrary
   shell expressions into this execSync. This may or may not be likely
   in practice, but I believe the hygienic way to perform the underlying
   operation is to use execFileSync or similar and bypass the
   underlying shell evaluation.

2. setup.ts:229 2 has a nearly identical execSync to (1) above,
   but with $USER for shell-level interpolation rather than string
   interpolation. However, this is still injectable and would be best
   replaced by an execFileSync, per above.

3. arc-runner:40-44 3 has an execSync with multiple string
   interpolations. Most of these do not appear immediately injectible
   (since they appear to come from presumed trusted API responses), but
   the expansion of getRunnerTempDir() may be injectable due to its
   dependence on potentially attacker-controllable environment variables
   (e.g. RUNNER_TEMP). The underlying operation appears to be a trivial
   file copy, so this entire subprocess should in theory be replaceable
   with ordinary NodeJS fs API calls instead.

4. arc-runner:53 4 demonstrates the same weakness, and has the same
   resolution as (3).

5. arc-runner:57 demonstrates the same weakness as (3) and (4), and
   has the same resolution.

6. arc-runner:61 demonstrates the same weakness as (3), (4), and (5),
   and has the same resolution.

Permalink: https://github.com/advisories/GHSA-g85v-wf27-67xc
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nODV2LXdmMjctNjd4Y84ABBec
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 2 days ago
Updated: 1 day ago

CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-g85v-wf27-67xc, CVE-2024-52587
References:

• https://github.com/step-security/harden-runner/security/advisories/GHSA-g85v-wf27-67xc
• https://github.com/step-security/harden-runner/commit/0080882f6c36860b6ba35c610c98ce87d4e2f26f
• https://nvd.nist.gov/vuln/detail/CVE-2024-52587
• https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L40-L44
• https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L53
• https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L57
• https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L61
• https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/setup.ts#L169
• https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/setup.ts#L229
• https://github.com/advisories/GHSA-g85v-wf27-67xc

Repository: https://github.com/step-security/harden-runner
Blast Radius: 1.0

Affected Packages